Step-up MFA

Wessel, Keith kwessel at
Mon May 13 15:46:50 EDT 2019


It was brought to my attention this morning that some step-up MFA that we had working is no longer working.

We require MFA for all faculty, staff, and grad students; undergrads opt in. We have a couple of SPs that, despite my best efforts of convincing folks otherwise, don't require MFA for anyone. We pull off all of this magic with an attribute definition that takes into account MFA group memberships and the SP requesting authentication.

When I rolled this out, you could go to one of the SPs that was 2FA exempted and log in with your password. You could then go to any other SP and be prompted to do the 2FA part to step up the authentication.

I was informed this morning that going first to the exempted SP then to any other SP lets you in to both without step-up. Not good, obviously.

Am I correct that an authentication request on an existing IdP session will cause the IdP to evaluate the requested authentication contexts against those the user has already satisfied? And if one has not already been satisfied, the IdP will go through the MFA authn flow again to satisfy a requested context? And at that time, the MFA script will resolve any attributes coded into it to resolve (like the eduPersonAssurance attribute) along with any dependent attributes. I want to make sure that my issue isn't attribute caching or even the MFA flow not running at all.

I've checked over my logic in my MFA script and my attribute definitions and can't find any reasons why this wouldn't be working, and I know it did in the past. So, I thought I'd confirm how things _should_ work for step-up.


More information about the users mailing list